Hackers Are Targeting Bitcoin Hot Wallets—Here's How

The founder of the Ordinal Rugs project said hackers targeted members of the Bitcoin Rock Discord server on Tuesday, stealing $1.47 BTC, around $103,003, and 4 BTC, around $208,196, worth of Ordinal inscriptions from their wallet.

Ordinals are the hot thing in digital collectibles; over 63 million inscriptions have been minted on the Bitcoin blockchain, with 6388 BTC in fees only to date, around $450 million, according to a Dune Analytics report. This makes Bitcoin a tempting target for hackers.

“In the ten years I've spent in crypto, this is the first time I've lost a sizable amount of money through a hack/scam (let alone a wallet drainer),” the pseudonymous founder Archon disclosed in a tweet thread—admitting that he had been careless, despite implementing strong security controls.

“I'm not one to take op-sec lightly,” they wrote. “I have all personal logins authenticated with Yubikeys, and the majority of my crypto assets/ordinals are secure on hardware + multi-sig wallets.”

Cyber attacks targeting crypto wallets are common, and celebrities and prominent community are frequent targets. In May 2022, actor Seth Green was the victim of a phishing attack that robbed him of a Bored Ape Yacht Club NFT. While thieves have traditionally concentrated the Ethereum and Solana blockchain, Ordinals are the hot new thing, which draws scammers—and puts Bitcoin wallets in their crosshairs.

As Archon explained, the hack started with a message sent to the members of the Bitcoin Rock Discord advertising a giveaway of the popular Runestones Ordinals. The account included a link to a malicious Magic Eden NFT website clone. When Archon connected his wallet to the site and signed the transaction, the thief was able to steal the NFTs.

“I don't know if anyone else was affected,” Archon told Decrypt. “I realized [the theft] less than a minute after signing the [transaction].”

The hackers even used one of the stolen inscriptions, 53,109,400, to pay the transaction fee.

“No funds/accounts/logins related to [Ordinal Rugs] were affected... this was just my own personal wallet and I only have myself to blame here,” Archon said. “Needless to say, I will not allow this to happen again.”

According to blockchain security firm Halborn, a lack of due diligence and FOMO causes collectors to make mistakes they normally would not.

“By pinging the entire server, he thought that message was from the admin so he inherently trusted that URL and clicked it,” Halborn COO David Schwed told Decrypt. “So really just a piece of the social engineering and phishing.”

Phishing is a form of cybercrime that attempts to steal something of value (in this case, an NFT) through deceptive emails, websites, or social media.

Schwed highlighted the ease of cloning a website and said wallet users must be extra vigilant, including double-checking website URLs.

“There are plugins people can use that may alert them that it's a fake domain,” Schwed told Decrypt. “It would look at things like when the domain was registered.”

Schwed said another option is to use browser extensions that block newly observed and newly registered domains.

Not wanting to be left out of the Ordinals craze, a cottage industry of compatible wallets has come online, but they lack the history and hard-won wisdom drawn from attacks suffered by older NFT-friendly wallets like MetaMask and Phantom. Veteran providers have the battle scars to prove their commitment to security, boasting features like Blockaid and malicious attack alerts that newer wallets may not have.

“Some wallets have some security built in, and others don’t,” Schwed said, noting Metamask's integration of Blockaid last year. "Many of them focus on smart contracts, which may be why they targeted BTC.”

Edited by Ryan Ozawa.